Some Insecure Resources Can Be Upgraded To HTTPS

Overview

When a secure (HTTPS) site requests an insecure (HTTP) resource, that is called a mixed
content error. Some browsers block insecure resource requests by default. If your page
depends on these insecure resources, then your page might not work properly when they get blocked.

How to use this audit

This audit is not run by default in Lighthouse, and currently requires that you
have Chrome Canary installed. To use it, you will need to run the
Lighthouse command-line tool. You can install Lighthouse using npm:

npm install -g lighthouse

To run the audit, you can use the included --mixed-content flag:

lighthouse --mixed-content http://www.example.com

This will create a new HTML report file in your current working directory.

Recommendations

For each URL that Lighthouse lists, modify your code to request that URL over HTTPS:

https://example.com

Rather than HTTP:

http://example.com

Even if you are not ready to fully upgrade your site to HTTPS yet, upgrading some URLS to
HTTPS can increase the security of your users and make it easier for you to avoid mixed
content warnings when you do upgrade to HTTPS in the future. See Uses HTTPS for
recommendations on how to upgrade your site to HTTPS.

Insecure resources which are not upgradeable to HTTPS may require other changes. Contact the
providers of these resources to explore your options.

More information

Lighthouse loads the page once to record the URL of each resource requested. Then, Lighthouse
loads the page again, but this time intercepts each request and tries to upgrade the URL to
use HTTPS. If the upgraded requests succeed, Lighthouse reports that request as upgradeable in
the audit results.